| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of Grafana
jQuery, Symfony: Cross Site Scripting via templates
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, Red Hat SSO, Symfony, Synology DSM, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.
Description of the vulnerability
An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Grafana: privilege escalation via Org-Admin/Alerting Pages
Synthesis of the vulnerability
An attacker can bypass restrictions via Org-Admin/Alerting Pages of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: privileged access/rights, data creation/edition.
Provenance: user account.
Creation date: 07/03/2019.
Identifiers: VIGILANCE-VUL-28688.
Description of the vulnerability
An attacker can bypass restrictions via Org-Admin/Alerting Pages of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Grafana: code execution via go-macaroon
Synthesis of the vulnerability
An attacker can use a vulnerability via go-macaroon of Grafana, in order to run code.
Impacted products: Grafana.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user shell.
Creation date: 03/12/2018.
Identifiers: 5469, VIGILANCE-VUL-27939.
Description of the vulnerability
An attacker can use a vulnerability via go-macaroon of Grafana, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
Grafana: file reading via Text Panels
Synthesis of the vulnerability
A local attacker can read a file via Text Panels of Grafana, in order to obtain sensitive information.
Impacted products: Grafana.
Severity: 2/4.
Consequences: data reading.
Provenance: privileged account.
Creation date: 14/11/2018.
Identifiers: CVE-2018-19039, VIGILANCE-VUL-27790.
Description of the vulnerability
A local attacker can read a file via Text Panels of Grafana, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
Grafana: Cross Site Scripting via Query Editor
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via Query Editor of Grafana, in order to run JavaScript code in the context of the web site.
Impacted products: Grafana.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 24/10/2018.
Identifiers: 13667, CVE-2018-1000816, VIGILANCE-VUL-27610.
Description of the vulnerability
The Grafana product offers a web service.
However, it does not filter received data via Query Editor before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via Query Editor of Grafana, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Grafana: privilege escalation via LDAP/OAuth
Synthesis of the vulnerability
An attacker can bypass restrictions via LDAP/OAuth of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/08/2018.
Identifiers: CVE-2018-15727, CVE-2018-558213-REJECT, VIGILANCE-VUL-27104.
Description of the vulnerability
An attacker can bypass restrictions via LDAP/OAuth of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Grafana: privilege escalation via Proxy IP Address
Synthesis of the vulnerability
An attacker can bypass restrictions via Proxy IP Address of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 29/06/2018.
Identifiers: VIGILANCE-VUL-26592.
Description of the vulnerability
An attacker can bypass restrictions via Proxy IP Address of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Grafana: privilege escalation via API Keys Dashboard Overwrite
Synthesis of the vulnerability
An attacker can bypass restrictions via API Keys Dashboard Overwrite of Grafana, in order to escalate his privileges.
Impacted products: Grafana.
Severity: 2/4.
Consequences: data creation/edition, data deletion.
Provenance: user account.
Creation date: 19/06/2018.
Identifiers: 12343, VIGILANCE-VUL-26455.
Description of the vulnerability
An attacker can bypass restrictions via API Keys Dashboard Overwrite of Grafana, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Grafana: Cross Site Scripting via Dashboard
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via Dashboard of Grafana, in order to run JavaScript code in the context of the web site.
Impacted products: Grafana.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/06/2018.
Identifiers: CVE-2018-12099, VIGILANCE-VUL-26374.
Description of the vulnerability
The Grafana product offers a web service.
However, it does not filter received data via Dashboard before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via Dashboard of Grafana, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about Grafana:
|